Skip to content

SurrealDB: Field-level SELECT permissions bypassed via indexed COUNT fast paths

Moderate severity GitHub Reviewed Published May 27, 2026 in surrealdb/surrealdb • Updated Jul 1, 2026

Package

cargo surrealdb (Rust)

Affected versions

< 3.1.0

Patched versions

3.1.0

Description

A record user could learn the value of a hidden field by counting how many records match a guess.

When DEFINE FIELD ... PERMISSIONS FOR select WHERE ... hides a field's contents from a caller, and that field is indexed, running SELECT count() FROM t WHERE hidden_field = "guess" GROUP ALL returned a count greater than zero whenever a record actually had that value — even though the caller was never allowed to read the field directly. The query planner used an indexed-COUNT shortcut (Index::Count, IndexCountScan, or the legacy Iterate Index Count / Iterate Index Keys paths) that counts matching index entries and skips the permission check that would normally hide the value. The same query with WITH NOINDEX correctly returned [], confirming the gap.

By repeating the count query with different guesses, an attacker can confirm or recover the contents of any restricted field they could not read through a normal SELECT.

Impact

What an attacker can do:

  • Confirm or recover values of a field protected by field-level SELECT permissions on any table they hold table-level SELECT on, provided the field is indexed.
  • Repeat the query with different guesses to read restricted field contents one value at a time.

What it can't do:

  • Read fields that are not indexed (the shortcut only fires when an index covers the predicate column).
  • Cross table, database or namespace isolation boundaries.
  • Modify data, escalate privileges, or affect availability.

Patches

The legacy planner (surrealdb/core/src/idx/planner/tree.rs) and the streaming planner (surrealdb/core/src/exec/planner/select/mod.rs) now both refuse the indexed fast path when the WHERE / ORDER tree references a field governed by a non-Full SELECT permission:

  • resolve_indexes skips any B-tree / unique index whose columns are governed by such a permission.
  • A new cond_touches_restricted_field flag is propagated; eval_count refuses a dedicated Index::Count when set.
  • The streaming planner adds cond_touches_restricted_select_field, a RestrictedIdiomChecker visitor that matches each idiom against the table's field-permission prefixes (loaded via the plan-time txn), and gates IndexCountScan emission on it.
  • The fast paths are preserved for root / owner sessions via should_check_perms_for_view.

Versions 3.1.0 and later are not affected.

Workarounds

Users unable to patch are advised to consider the following workarounds:

  • Avoid DEFINE INDEX on fields whose values are protected by field-level SELECT permissions. The class of attack is specific to the indexed fast paths.
  • Restrict the ability of record users to issue arbitrary SELECT count() … GROUP ALL queries against tables containing field-protected columns.
  • Use namespace / database isolation as the primary boundary where feasible.

References

@rowan-baker rowan-baker published to surrealdb/surrealdb May 27, 2026
Published to the GitHub Advisory Database Jul 1, 2026
Reviewed Jul 1, 2026
Last updated Jul 1, 2026

Severity

Moderate

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

EPSS score

Weaknesses

Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. Learn more on MITRE.

CVE ID

No known CVE

GHSA ID

GHSA-c8jx-96c9-8xrp

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.